A digital audio/video data processing unit like a digital television decoder or “set top box” includes a main module gathering essential functions for the decryption of the received data, generally called deciphering or descrambling unit or calculation module. The audio/video data entering the calculation module is encrypted with control words CW transmitted in a control message ECM (Entitlement Control message) stream associated with the audio/video data stream. The calculation module includes a particular circuit in charge of extracting the control words CW from the control messages ECM and decrypting them using keys made available by the processing unit and/or by a security module associated to said unit.
A security module can be implemented in a variety of manners such as on a microprocessor card, on a smartcard or any electronic module in the form of a badge or key. These modules are generally portable and detachable from the host user unit and are designed to be tamper-proof. The most commonly used form has electrical contacts, but contactless versions of type ISO 14443 also exist. Another implementation of the security module consists either of a directly soldered integrated circuit inside the user unit or a circuit on a socket or connector such as a SIM (Subscriber Identity Module) module. The security module may also be integrated on a chip which has another function e.g. on a descrambling module or on a microprocessor module of a pay television set top box. The security module can also be implemented as a software device managed by a processor of the user unit.
A control message ECM contains, in addition to the control word, access conditions required for the control word to be sent back to the processing unit. At the time of the decryption of a control message usually encrypted by a transmission key, the security module verifies if the conditions to access audio/video data sent in a stream are satisfied, i.e. the access rights stored in the security module are present. These rights are generally sent by the head end in entitlement management messages EMM which update the rights stored in the security module.
The control word is only returned to the processing unit when the rights verification is successful. According to a known Pay-TV broadcasting mode, three elements are necessary to decrypt a program at a given time, namely:    a) Data related to the program encrypted by one or a plurality of control words,    b) Control message(s) ECM containing the control words and access conditions,    c) Corresponding user rights stored in the security module allowing verifying the access conditions.
Accounting for the use of audio video content or other conditional access data is based on subscription, purchases of selected programs or on payment by time units.
In order to improve security of the control words which are the most sensitive elements of a Pay-TV system, several solutions have been developed such as for example:
The document EP1485857B1 describes a method for matching a decoder with a removable security module. The system formed by the decoder and the security module receives digital audio/video data encrypted by a control word and control messages ECM containing the encrypted control word. A first key is assigned to the decoder and a second key to the security module. These two keys form a unique pair in the broadcast network of the audio/video data. Only one key of the key pair can be chosen arbitrarily while the other is determined according to the first key in a way that the combination of these two keys conforms to a pairing key of the system, thus allowing to decrypt the control word.
The document EP1421789B1 discloses a process of controlling access to encrypted data transmitted by an operator to a plurality of subscribers groups. Each group has a group key and each subscriber receives from the operator an operating key encrypted by the group key to decipher the transmitted data. The process consists of associating the operating key encrypted with the group key to a random value for generating a secret code. This code is transmitted via a management message EMM to the subscribers to calculate the operating key at the reception of the random value transmitted by control messages ECM. The process uses only one access control and it allows for dissuading the publication of the operating keys by making them dependent on the subscriber group.
The document EP1078524B1 describes a coupling or matching method in order to make a security module dependent on the host apparatus, in this case a Pay-TV decoder, and vice versa. The aim of this matching mechanism is to protect the communications between the security module and the decoder in order to prevent the capture, from the transmission channel, of the control words allowing for the deciphering of the transmitted program data. The matching allows also for the prevention of the use of the security module with a foreign host apparatus or conversely. The solution uses a unique key or a unique key pair to encrypt and decrypt the data exchanged between the security module and the decoder. This unique key is maintained secret and unchanged during the whole life of the related devices. One or other of the connected devices can verify, at any moment, the validity of the matching parameters and take appropriate counter-measures when a match is not found.
The document WO2006/040482 describes a method of recomposing a control word on the one hand by a security module and on the other hand by a decoder. Neither of the two devices alone can obtain the complete control word. The message including the two parts of the control word moreover contains two access conditions, one for the security module and the other for the decoder.
The document WO2009/144264A1 describes a method for secure processing digital access controlled audio/video data and a processing unit configured for the same and able to receive control messages. The control messages comprise at least one first control word and first right execution parameters, at least one second control word and second right execution parameters. The processing unit being connected to a first access control device comprises:                means for verifying and applying the first right execution parameters in relation to the contents of a memory associated to the first access control device and means for obtaining the first control word,        a second access control device integrated into the processing unit including means for verifying and applying the second right execution parameters in relation to the contents of a memory associated to the second access control device and means for obtaining the second control word,        a deciphering module configured for deciphering, sequentially with the first and the second control word, the access controlled audio/video data, the first and second control words being provided respectively by the first and second access control devices and stored in said deciphering module.        
The document EP1523188A1 discloses a method for pairing a first element and a second element, wherein the first element and the second element form a first decoding system among a plurality of receiving decoding systems in a broadcasting network. Each receiving decoding system is adapted to descramble scrambled audiovisual information received over the broadcasting network. A first key unique in the broadcasting network is selected. A second key is determined according to the first key, such that a combination of the first key and the second key enables to decrypt broadcasted encrypted control data that is received to be decrypted by each receiving decoding system, the encrypted control data being identical for each receiving decoding system. The first key and the second key are assigned respectively to the first element and the second element.
The document U.S. Pat. No. 5,029,207A discloses a decoder for descrambling encoded satellite transmissions comprising an internal security element and a replaceable security module. The program signal is scrambled with a key and then the key itself is twice-encrypted and multiplexed with the scrambled program signal. The key is first encrypted with a first secret serial number which is assigned to a given replaceable security module. The key is then encrypted with a second secret serial number which is assigned to a given decoder. The decoder performs a first key decryption using the second secret serial number stored within the decoder. The partially decrypted key is then further decrypted by the replaceable security module using the first secret serial number stored in the replaceable security module. The decoder then descrambles the program using the twice-decrypted key.
To sum up, the security of the control words may be improved by the following measures:                a transmission through a secured channel between the security module and the processing unit,        a plurality of conditional access modules requiring each a verification of the access conditions or rights,        reception of a control word in several parts sent either in one or several control messages. Appropriate instructions allow rebuilding the control word from its parts by a processing module before making it available to the descrambler.        